Use AWS Roles for Authorization instead of handing over IAM Credentials

It is a pretty common pattern for 3rd party systems which need access to your AWS account to use a role from their own AWS account to do so. Here is an example from another provider (this is the assume role policy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXX:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "XXXXXX-XXXXX...."
                }
            }
        }
    ]
}

In this case, the provider even created a 1-click cloudformation stack that was very easy to review and apply.

Why can this be preferred compared to setting up IAM credentials?

  • Since there are no credentials, there are no potentials for credentials leaking. As long as Doppler keeps their AWS account safe, it is safe. It might be possible to add a second layer of validation using the external fields in STS (as in the example above), which could make it even safer.
  • Handling these credentials safely is a bit of a pain.
  • Lots of AWS review tools will flag individual user accounts, instead preferring roles with well defined trust relationships.

I hope this is something that can be added soon. Doppler is basically the only integration that we use which does not currently support this.

It’s coming later this year!

1 Like